WEBVTT
00:00:00.200 --> 00:00:06.200
[Music]
00:00:17.820 --> 00:00:21.100
>> All right. Welcome back to the
Windows Intune Jumpstart for
00:00:21.150 --> 00:00:27.850
IT professionals. Next up, right
now, is Module 3, extending
00:00:27.900 --> 00:00:31.010
your identity to Windows Azure
Active Directory. There is a
00:00:31.060 --> 00:00:31.900
lot of
00:00:33.120 --> 00:00:36.410
confusion around this from a lot
of different people, and so
00:00:36.460 --> 00:00:40.390
hopefully after this module is
done, you can be a little more
00:00:40.440 --> 00:00:44.620
clear on all of the different options
of synchronizing your AD
00:00:44.670 --> 00:00:49.640
and what all of that means. So
let's go to the next slide.
00:00:50.700 --> 00:00:53.400
That just tells you where we're at
in the day, the third module.
00:00:54.720 --> 00:00:56.680
And this is the overall flow that
we're going to go through.
00:00:56.730 --> 00:01:00.770
First off, we're going to clarify, what
is Windows Azure Active Directory.
00:01:01.340 --> 00:01:06.880
We've had some naming changes and
that is the first point of
00:01:06.930 --> 00:01:11.020
foundation to clarify. After that,
you know, we'll get into the
00:01:11.070 --> 00:01:14.570
different management options for
your identity. And followed
00:01:14.620 --> 00:01:16.950
by that, we'll give you some how-to,
some practical, if you want
00:01:17.000 --> 00:01:20.380
to do any one of those three identity
management options, how
00:01:20.430 --> 00:01:21.300
do you get it done.
00:01:23.260 --> 00:01:26.980
So with that, let's start with what
is Windows Active Directory
00:01:27.030 --> 00:01:29.970
in Windows Azure. So first
off, we have this
00:01:32.340 --> 00:01:35.920
cloud service that we started
quite some time ago, right?
00:01:35.970 --> 00:01:40.600
And we wanted the cloud service to be
able to be utilized independent,
00:01:40.650 --> 00:01:44.690
right, of whether you have any on-premise
Active Directory or not.
00:01:44.740 --> 00:01:47.400
So the question is, if the user
wants to sign in, and I'm just
00:01:47.450 --> 00:01:51.140
drawing with my finger here,
how does that user sign in?
00:01:51.190 --> 00:01:56.180
Well, with that in mind, we created
Windows Azure Active Directory.
00:01:56.230 --> 00:01:59.320
Now, you may ask why didn't we just
take the on-premise Active
00:01:59.370 --> 00:02:03.840
Directory and just stick that in
the cloud? Well, there were
00:02:03.890 --> 00:02:09.730
quite a few reasons why we re-architected
things. Because when
00:02:09.780 --> 00:02:13.150
Active Directory was designed initially,
it was not designed
00:02:13.200 --> 00:02:17.730
for the types of capabilities in
the cloud, scale, and the types
00:02:17.780 --> 00:02:21.460
of things that need to be done, so we had
to come up with a similar concept.
00:02:21.510 --> 00:02:24.780
Now, keep in mind, we did use a
lot of the same knowledge that
00:02:24.830 --> 00:02:27.970
we had with Active Directory, but it
is a totally separate directory
00:02:28.020 --> 00:02:31.010
that's designed for cloud operations.
So that's what Windows
00:02:31.060 --> 00:02:33.740
Azure Active Directory will do
is allow you to... that user
00:02:33.790 --> 00:02:36.960
to synchronize and authenticate
solely in the cloud.
00:02:38.340 --> 00:02:43.490
But like most of you know, you probably
have an on-premise Active
00:02:43.540 --> 00:02:48.350
Directory, and you say, well, hey, how
does this guy, who's on-premise,
00:02:48.910 --> 00:02:52.490
get synchronized up to Windows
Azure Active Directory?
00:02:52.540 --> 00:02:57.290
Well, more than likely, right,
you've got probably a server,
00:02:57.340 --> 00:03:01.610
Windows Server running here with
your Active Directory, and the
00:03:01.660 --> 00:03:07.130
first thing I want to also clarify
is you can run Active Directory
00:03:08.110 --> 00:03:13.140
in a VM, right. You can move this
up to infrastructure as a service
00:03:13.190 --> 00:03:19.480
in Windows Azure and run that same
thing that you have on-premise
00:03:19.530 --> 00:03:23.610
as a VM as Windows Azure. So
some people refer to that as
00:03:25.890 --> 00:03:30.360
Active Directory running in Windows
Azure. So it is kind of
00:03:30.410 --> 00:03:36.180
confusing, but just to be clear,
running Active Directory on
00:03:36.230 --> 00:03:40.080
a VM in the infrastructure as a
service in Windows Azure does
00:03:40.130 --> 00:03:44.360
not equal the same thing as Windows
Azure Active Directory.
00:03:45.260 --> 00:03:49.440
So they're two different things.
Hopefully that makes sense
00:03:49.490 --> 00:03:54.120
for you in the differences. But
obviously, we're not talking
00:03:54.170 --> 00:03:56.260
at this point of how do you synchronize,
right, how do you get
00:03:56.310 --> 00:03:59.570
those identities together. We'll
get to that in a minute.
00:04:00.250 --> 00:04:03.180
But what I want to also bring up,
and as you've seen just earlier,
00:04:03.230 --> 00:04:07.620
is that we have not only Windows
Intune, but we have all kinds
00:04:07.670 --> 00:04:10.470
of other services authenticating
and tying into Windows Azure
00:04:10.520 --> 00:04:14.640
Active Directory so we've got
Office 365, Dynamics CRM.
00:04:14.690 --> 00:04:18.540
You're going to start to see more
and more momentum and more
00:04:18.590 --> 00:04:20.990
uses for Windows Azure Active
Directory as we go.
00:04:24.050 --> 00:04:28.080
I want to also clarify on another
point of the online IDs.
00:04:28.130 --> 00:04:31.790
When you first sign up for an account,
you are going to have
00:04:31.840 --> 00:04:37.530
to use an OnMicrosoft.com ID. Now,
after you're all said and
00:04:37.580 --> 00:04:40.800
done, there's a way that you can
make this OnMicrosoft.com ID
00:04:40.850 --> 00:04:43.610
only really be utilized for your
administrative accounts.
00:04:44.110 --> 00:04:48.410
Effectively, once you add your own
domain names in, that's probably
00:04:48.460 --> 00:04:50.860
how most organizations are going
to want to work. You probably
00:04:50.910 --> 00:04:53.390
aren't going to want to have people
sign in with this long ID.
00:04:53.440 --> 00:04:56.300
So for all intents and purposes,
you don't need to be overly
00:04:56.350 --> 00:04:59.120
concerned about what that
name is that you use.
00:05:01.110 --> 00:05:03.720
It is important to remember what
that is, because that is the
00:05:03.770 --> 00:05:07.270
global admin account, the first
account that you sign up with,
00:05:07.320 --> 00:05:11.210
that has certain capabilities that
you need to do for any kind
00:05:11.260 --> 00:05:16.740
of synchronization throughout the
course of the configuration
00:05:16.790 --> 00:05:17.510
that you're going to do.
00:05:19.610 --> 00:05:20.110
Okay.
00:05:21.190 --> 00:05:25.530
So talking about the identity management
options, you've got
00:05:25.580 --> 00:05:28.600
an on-premise ID, and you have Windows
Azure Active Directory.
00:05:28.650 --> 00:05:33.280
How do you synthesize or how do you
make things make sense between
00:05:33.330 --> 00:05:36.990
the two different databases
of user accounts?
00:05:37.600 --> 00:05:41.040
First off, I want to clarify one
thing. There's two different
00:05:41.090 --> 00:05:42.290
scenarios here.
00:05:43.030 --> 00:05:45.110
There's provisioning and synchronization.
00:05:45.890 --> 00:05:50.280
When we talk about provisioning,
that is just putting a user
00:05:50.330 --> 00:05:54.200
account into an authentication scheme,
right, or a database, right.
00:05:54.250 --> 00:05:55.860
That's getting the account there.
00:05:56.820 --> 00:05:59.320
What most people are going to want
to do if they have an on-premise
00:05:59.370 --> 00:06:01.750
Active Directory is they're going
to want to have some form of
00:06:01.800 --> 00:06:04.620
synchronization, meaning you want
to have some consistency of
00:06:04.670 --> 00:06:08.660
the user IDs, passwords between
these two different databases
00:06:08.710 --> 00:06:12.190
of on-premise ID and Windows
Azure Active Directory.
00:06:12.730 --> 00:06:15.650
When you do synchronize, you're going
to be provisioning accounts,
00:06:15.700 --> 00:06:18.350
right, but if you provision accounts
you aren't necessarily going
00:06:18.400 --> 00:06:22.620
to be synchronizing those accounts.
You may just manually create those.
00:06:24.040 --> 00:06:24.950
So this here
00:06:26.680 --> 00:06:29.920
goes into the different types of options
that you have for provisioning
00:06:29.970 --> 00:06:34.820
those accounts. First off, there's
a manual option, and with
00:06:34.870 --> 00:06:37.250
the manual option, you're going
to be able to create objects
00:06:37.300 --> 00:06:41.750
in AD via the admin portal, as
you've seen earlier. You can
00:06:41.800 --> 00:06:44.980
go in and use the portal, say add
a new user account, and then
00:06:45.030 --> 00:06:48.030
that creates a Windows ID just in
Windows Azure Active Directory,
00:06:48.080 --> 00:06:50.370
or bulk import, which I'm going to
show you here in a little bit.
00:06:51.870 --> 00:06:55.090
Folks that want to do this is...
are organizations that probably
00:06:55.140 --> 00:06:58.830
have no on-premise Active Directory
and you may want to use only
00:06:58.880 --> 00:07:03.460
Windows Azure AD to authenticate all
your users inside your organization,
00:07:03.510 --> 00:07:07.060
or we have, you know, some customers,
they may want to have two
00:07:07.110 --> 00:07:11.600
different sets of IDs so that you
can have those people who are
00:07:11.650 --> 00:07:14.540
maybe sales folks or maybe they randomly
use it or there's different
00:07:14.590 --> 00:07:17.570
use cases for that. But that
would be the manual option.
00:07:18.750 --> 00:07:22.920
For those of you who like to script
or you've got developers
00:07:22.970 --> 00:07:27.740
in your house that really want to
automate custom directory stuff,
00:07:27.790 --> 00:07:30.410
you've got all kind of different
things going on there, we do
00:07:30.460 --> 00:07:35.050
provide API, the graph API for that,
and PowerShell commandlets
00:07:35.100 --> 00:07:39.160
so you can provision users inside of
Windows Azure Active Directory.
00:07:39.730 --> 00:07:42.580
And I would say most folks are
probably not going to be using
00:07:42.630 --> 00:07:46.160
this option, but just so you know
it's there if you've got very
00:07:46.210 --> 00:07:48.240
unique or specialized circumstances.
00:07:50.160 --> 00:07:52.800
The last one, which is what most
people are going to use, and
00:07:52.850 --> 00:07:55.620
there's a number of solutions inside
this bucket, is automated, right.
00:07:55.670 --> 00:07:59.650
How are you going to automatically
create and provision accounts
00:07:59.700 --> 00:08:03.950
and more than likely synchronize those
with the on-premise directory, right.
00:08:04.000 --> 00:08:08.310
So we threw out a couple of technologies
DirSync. Forefront Identity
00:08:08.360 --> 00:08:11.010
Manager is another big one. We
won't really be talking about
00:08:11.060 --> 00:08:14.770
that much today, but Forefront Identity
Manager is a great solution
00:08:14.820 --> 00:08:18.910
if you want to synchronize your accounts,
have user account management.
00:08:18.960 --> 00:08:21.690
There's a lot of other things that
come with FIM, even if you
00:08:21.740 --> 00:08:25.040
only have on-premise AD. Also,
Forefront Identity Manager is
00:08:25.090 --> 00:08:28.050
good if you've got multiple forests.
So if you're doing anything
00:08:28.100 --> 00:08:31.970
really complex, FIM is a good product
to look at outside of the
00:08:32.020 --> 00:08:36.210
scope of today and this session.
But we'll be digging into more
00:08:36.260 --> 00:08:38.790
of these automated methods
here right now.
00:08:40.290 --> 00:08:43.620
So what are... how does it work,
right? So these are really three
00:08:43.670 --> 00:08:46.660
high level buckets of choices you
have to make after you sign
00:08:46.710 --> 00:08:51.180
up for a cloud service account,
Office 365 or Windows Intune
00:08:51.230 --> 00:08:54.950
that you need to make. The first
one, pretty simple, all right?
00:08:55.000 --> 00:08:58.160
Cloud only integration or I'll
just call it no integration.
00:08:58.810 --> 00:09:01.290
And in this case, what you're going
to be doing is you've got...
00:09:01.340 --> 00:09:04.690
let's say you've got an on-premise
AD. You've got contoso.com.
00:09:05.380 --> 00:09:09.260
You'll go up there to the admin portal
and/or use the PowerShell
00:09:09.310 --> 00:09:13.060
or the graph means that I mentioned
earlier to provision that account.
00:09:13.110 --> 00:09:17.810
And that says if there's no... the
only synchronization or connection
00:09:17.860 --> 00:09:21.210
between the two is the fact that,
you know, you know it's Joe.
00:09:21.950 --> 00:09:25.830
You know that if you want to save
the same domain in contoso.com
00:09:26.350 --> 00:09:28.490
up in your cloud, you can have
the same user account, but it
00:09:28.540 --> 00:09:32.530
is a totally separate user account,
right. So you could still
00:09:32.580 --> 00:09:38.070
have joe@contoso.com, but effectively,
it would be joe@contoso.com
00:09:38.270 --> 00:09:43.060
in two different places and two different
passwords, two different,
00:09:43.110 --> 00:09:47.780
you know, scenarios there. So that's
a pretty simple example,
00:09:47.830 --> 00:09:52.310
but that's really your first
and most simple option.
00:09:53.840 --> 00:09:58.680
The next one starts to get a little
more complicated, and with
00:09:58.730 --> 00:10:01.500
this one, what we're going to use
is a product called DirSync.
00:10:01.550 --> 00:10:05.290
It's really just a tool that you'll
see, and we'll show a demo
00:10:05.340 --> 00:10:10.600
of this in a little bit. But what
this is is it synchronizes
00:10:11.080 --> 00:10:15.170
your on-premise AD up to the directory
store. So you notice
00:10:15.220 --> 00:10:19.300
there, you saw the user account get
moved over. Now here's where
00:10:19.350 --> 00:10:20.800
it gets a little bit tricky.
00:10:21.850 --> 00:10:27.130
If you have signed up and registered
and verified your domain
00:10:27.180 --> 00:10:31.770
name in the cloud, in the Windows
Azure Active Directory console,
00:10:31.820 --> 00:10:35.660
which I'm also going to show you,
and that is the same principal
00:10:35.710 --> 00:10:39.200
name, so let's say contoso.com.
So joe@contoso.com, if you've
00:10:39.250 --> 00:10:44.880
registered contoso.com up in the portal,
and you do the synchronization,
00:10:45.050 --> 00:10:50.860
then Joe will show up as joe@contoso.com,
and that will automatically
00:10:50.910 --> 00:10:53.170
be provisioned based on
your on-premise ID.
00:10:54.080 --> 00:10:58.490
Now, by default, though, what's...
this still has that same
00:10:58.540 --> 00:11:03.020
somewhat of limitation of the first
option, which is that here
00:11:03.070 --> 00:11:09.470
you've got a password one, okay,
and other here when you do this
00:11:09.520 --> 00:11:14.850
by default, you're going to have
password two, because this is...
00:11:14.900 --> 00:11:18.690
even though it may be automated
and synchronized, by default,
00:11:18.740 --> 00:11:22.730
the passwords are not going to synchronize
with the DirSync tool.
00:11:24.100 --> 00:11:27.270
Right now, there are the ability
for... there is the ability
00:11:27.320 --> 00:11:30.810
for you to do a manual synchronization
of just the passwords
00:11:32.150 --> 00:11:35.110
or you can use a third party to
do that, and that's definitely
00:11:35.160 --> 00:11:37.110
what I'd recommend because otherwise
what you're going to still
00:11:37.160 --> 00:11:40.070
have is the same scenario as you
had before kind of with the
00:11:40.120 --> 00:11:43.090
cloud only, in that you've got two
user IDs, you've got two sets
00:11:43.140 --> 00:11:45.000
the passwords, two sets of
00:11:47.570 --> 00:11:50.450
credentials, effectively. I mean,
yeah, the user remembers their
00:11:50.500 --> 00:11:54.100
user name, but they still have to
remember two different passwords
00:11:54.150 --> 00:11:56.190
and two different password
policies, right?
00:11:57.230 --> 00:12:00.370
So that's, you know, that's the middle
option here, the directory
00:12:00.420 --> 00:12:01.850
synchronization option.
00:12:03.790 --> 00:12:08.190
We get to the most complicated but,
also, the most beneficial,
00:12:08.910 --> 00:12:13.790
we have directory synchronization
combined with a federation.
00:12:14.350 --> 00:12:17.320
And inherently, that gives
you a single sign-on.
00:12:17.890 --> 00:12:24.550
How this works is we do the same thing in
that we use directory synchronization.
00:12:25.230 --> 00:12:28.000
So you'll notice here that that
user gets synchronized over.
00:12:28.050 --> 00:12:30.450
But here is where things are different.
You notice that trust
00:12:30.500 --> 00:12:35.680
popped up there. What happens
here is that user... so let's
00:12:35.730 --> 00:12:39.720
say that that user wants to log into
a service, right. That service
00:12:39.770 --> 00:12:43.550
is then going to come and detect
that the user's there.
00:12:43.600 --> 00:12:47.310
They're going to notice that that
user is a federated user.
00:12:47.980 --> 00:12:52.760
It's then going to go up back through
the trust, authenticate
00:12:52.810 --> 00:12:56.490
back into your Active Directory federation
server, get that token
00:12:56.540 --> 00:12:59.580
for authentication. So this is
where you need that inbound...
00:12:59.960 --> 00:13:03.610
some form of inbound SSL authentication
back to an AD FS server
00:13:03.660 --> 00:13:07.080
or an AD FS proxy server. And then
it will come back and then
00:13:07.130 --> 00:13:12.510
say, yep, that user's good to authenticate.
But with that, right,
00:13:12.560 --> 00:13:15.650
the advantage of that is that there's
a lot of different things
00:13:15.700 --> 00:13:17.730
and we'll get into a comparison
slide here. But you've got,
00:13:17.780 --> 00:13:22.110
right, one set of password policies.
You've got one set of credentials.
00:13:22.440 --> 00:13:27.130
You manage it in one place, and,
you know, everything else just
00:13:27.180 --> 00:13:28.950
kind of happens more naturally there.
00:13:30.720 --> 00:13:33.600
What are the... what are these downfalls?
So I've kind of given
00:13:33.650 --> 00:13:35.750
you the options, the three different
options here. So let's
00:13:35.800 --> 00:13:39.270
give a breakdown of when you would
want to use one versus the other.
00:13:39.320 --> 00:13:43.590
The first is no integration. Again,
if you're a smaller organization,
00:13:44.030 --> 00:13:48.010
you have no on-premise AD or you really
just want to be a cloud-only
00:13:48.060 --> 00:13:50.930
organization, right. No integration
is fine. There's nothing
00:13:50.980 --> 00:13:54.030
wrong with that, all right? You know,
it works great, and you've
00:13:54.080 --> 00:13:57.210
got one, really one identity and that
identity is only in the cloud.
00:13:58.250 --> 00:14:01.010
The benefit is that you don't need
any servers. You don't need
00:14:01.060 --> 00:14:03.850
any setup. It's really easy. You
just provision the users and
00:14:03.900 --> 00:14:04.590
you're good to go.
00:14:05.450 --> 00:14:07.990
The downfall is you don't get some
of the bonus adds, right.
00:14:08.040 --> 00:14:12.030
You don't get the single sign-on
if you have a corporate domain
00:14:12.080 --> 00:14:15.700
where you want them to log into
your corporate domain account
00:14:15.750 --> 00:14:19.720
and, you know, you want them to
be able to automatically log
00:14:19.770 --> 00:14:20.740
in and authenticate.
00:14:21.920 --> 00:14:28.010
And again, like, you know, your
IDs are mastered in the cloud
00:14:28.060 --> 00:14:30.860
and so you're really just managing
two separate set of credentials.
00:14:32.590 --> 00:14:37.960
The directory only, you know, this
is a good option, I would
00:14:38.010 --> 00:14:41.190
say, if you decide to do the password
synch. Because if you
00:14:41.240 --> 00:14:44.590
do the password synch, you still
do not get the single sign-on,
00:14:44.640 --> 00:14:47.630
and you don't get the two factor
authentication, but what you
00:14:47.680 --> 00:14:53.380
do get is a consistent set of credentials
that you can manage
00:14:53.430 --> 00:14:55.820
across those two machines. Now,
the downfall of this, though,
00:14:55.870 --> 00:15:00.010
is that it's pretty tricky, pretty
complex. We have heard the
00:15:00.060 --> 00:15:04.240
feedback from folks that they would like
to see password synchronization
00:15:04.290 --> 00:15:07.820
happen more automatically, perhaps
let's say with DirSync.
00:15:08.240 --> 00:15:11.520
But that's not something that
we have out at this time.
00:15:12.380 --> 00:15:19.150
Now, if we go to the third option,
right, we have the directory
00:15:19.200 --> 00:15:22.850
services and single sign-on with
AD FS. This enables a lot of
00:15:22.900 --> 00:15:25.230
different scenarios, right? Two-factor
authentication. If you
00:15:25.280 --> 00:15:27.800
want users to be able to sign in
00:15:29.070 --> 00:15:33.430
using a, you know, an RSID or,
you know, any... smart card,
00:15:33.480 --> 00:15:36.100
a certificate or anything else
like that, you're pretty much
00:15:36.150 --> 00:15:38.320
going to need to go to
a federated scenario.
00:15:39.020 --> 00:15:43.410
The other deal is if you have multiple
forests and you have multiple
00:15:44.010 --> 00:15:47.730
domains outside of, you know, your
own organization, like, so
00:15:47.780 --> 00:15:50.250
multiple forests, you really are
going to probably need to go
00:15:50.300 --> 00:15:53.740
to a federated scenario, because...
and it gets really complex
00:15:53.790 --> 00:15:56.240
as soon as you start going to multiple
forests and integrates
00:15:56.290 --> 00:15:58.570
with Windows Azure Active Directory.
There's a number of tools
00:15:58.620 --> 00:16:01.850
to help with that. Forefront Identity
Manager is one of them,
00:16:01.900 --> 00:16:07.090
but yeah, so there is that
there. Go ahead.
00:16:07.140 --> 00:16:08.930
>> Got a quick question that's actually
come up from Billy in
00:16:08.980 --> 00:16:11.960
the queue that is pertinent to
this point. So he's saying for
00:16:12.010 --> 00:16:13.140
a small business
00:16:14.340 --> 00:16:20.360
with a single Windows Server, can they
add AD for that organization?
00:16:20.410 --> 00:16:24.020
Is there any additional cost to
that with only a single server?
00:16:24.070 --> 00:16:27.740
So I know on the cost front, there's
no additional cost to actually
00:16:27.790 --> 00:16:33.850
add the synch service and AD FS parcel.
However, on the infrastructure
00:16:33.900 --> 00:16:35.630
side, there is a requirement.
00:16:36.490 --> 00:16:39.500
>> Yeah, so well if you have a single
server, right, and you don't
00:16:39.550 --> 00:16:43.330
have on-premise AD, then you would
need to add the Windows Azure...
00:16:43.380 --> 00:16:46.160
not Windows Azure, but you need to
add the Active Directory role
00:16:46.210 --> 00:16:47.020
to that server.
00:16:47.070 --> 00:16:48.420
>> Right. So you have
that. He's got a...
00:16:48.470 --> 00:16:52.120
>> So if I've got that, right, if
you've got that, then really,
00:16:52.170 --> 00:16:55.640
I mean, there's no cost for DirSync
or AD FS, as long as you
00:16:55.690 --> 00:16:59.050
can run it on that same server. As soon
as you go to adding additional
00:16:59.100 --> 00:17:04.160
servers, now you need to pay for
that, right. So with the...
00:17:04.210 --> 00:17:07.250
and we'll get into the breakdown
of the federated as we get into
00:17:07.300 --> 00:17:09.680
the how-to on the number of servers
you need and all that kind
00:17:09.730 --> 00:17:12.140
of thing, but that does require
more infrastructure. So you
00:17:12.190 --> 00:17:14.460
more than likely, if you've got
one server and you want to do
00:17:14.510 --> 00:17:16.600
a federated plus single sign-on,
you're probably going to pay
00:17:16.650 --> 00:17:19.230
more because you're going to more
than likely need at least a
00:17:19.280 --> 00:17:22.130
couple more servers, depending on
how, you know, how many users
00:17:22.180 --> 00:17:24.300
you have and what kind of scaleability
you need. So there's
00:17:24.350 --> 00:17:27.410
an inherent cost in infrastructure,
but there's not really an
00:17:27.460 --> 00:17:30.160
inherent, like, licensing cost,
right, for that. I mean, you
00:17:30.210 --> 00:17:33.040
just pay for the licenses that you
pay for, for up in the cloud.
00:17:33.740 --> 00:17:34.240
>> Right.
00:17:35.550 --> 00:17:39.000
>> Okay. The other thing that I
haven't talked about at all is
00:17:39.050 --> 00:17:42.420
location isolation, one of the
PROs there. So if, you know,
00:17:42.470 --> 00:17:46.420
I have some customers who come
at... who ask and say, well,
00:17:46.470 --> 00:17:51.940
what if I only want people to sign
in to the Office 365 or I
00:17:51.990 --> 00:17:56.400
only want people to sign in to the
Windows Intune when they're
00:17:56.450 --> 00:18:01.850
at specific places, or perhaps
block the, you know, access to
00:18:01.900 --> 00:18:04.210
the service when they're in a place
that is in countries where
00:18:04.260 --> 00:18:06.560
you can't have access. Well, then
in that case, you're going
00:18:06.610 --> 00:18:12.900
to need to do AD FS and this third
scenario for that. So there's
00:18:12.950 --> 00:18:16.890
a lot of benefits to this, and really,
you know, when you look
00:18:16.940 --> 00:18:20.350
at some of the documentation that's
online, you'll find that
00:18:21.400 --> 00:18:25.940
sometimes it says, hey, if you want
to do directory and single
00:18:25.990 --> 00:18:28.990
sign or federation at some point,
you should kind of decide that
00:18:29.040 --> 00:18:32.650
up front, because when you go from
the directory only to the
00:18:32.700 --> 00:18:35.310
directory and the single sign-on,
there are some caveats.
00:18:35.360 --> 00:18:37.920
It gets tricky, and you can...
there are some things that you
00:18:37.970 --> 00:18:41.850
can mess up, right. That doesn't
mean it's impossible. It just
00:18:41.900 --> 00:18:46.210
means it's tougher and there are some
things that can go poorly, right.
00:18:46.260 --> 00:18:50.740
So, you know, really you want to make
this decision, and hopefully...
00:18:50.790 --> 00:18:53.340
we will keep going through this,
but by now you hopefully have
00:18:53.390 --> 00:18:56.410
a rough idea of what you'd want to
target within your organization
00:18:56.460 --> 00:18:59.400
of which of these three solutions
you want to work towards.
00:19:00.880 --> 00:19:05.000
Okay. With that, we're going to move
to cloud-only provisioning.
00:19:05.050 --> 00:19:06.990
We're going to dig into the how-to.
So we just mentioned those
00:19:07.040 --> 00:19:10.280
three scenarios of provisioning,
and we're going to dig into
00:19:10.330 --> 00:19:13.780
what does that look like practically
and how do you implement that.
00:19:13.830 --> 00:19:16.870
The first one is cloud-only provisioning,
right, where you're
00:19:16.920 --> 00:19:21.330
just putting in users into the
Windows Azure Active Directory
00:19:21.380 --> 00:19:24.610
manually or via the scripting methods.
00:19:25.320 --> 00:19:27.180
The first thing you're going to
do is verify your domain.
00:19:27.230 --> 00:19:30.460
I'll show you that. And then you're
going to export or import
00:19:30.510 --> 00:19:34.390
your list of users. So if you have
an on-premise Active Directory,
00:19:34.440 --> 00:19:37.340
there's ways that you can export
your users into a format that
00:19:37.390 --> 00:19:41.220
you'd have to slightly modify, and
then take that file to import
00:19:41.270 --> 00:19:46.190
into your cloud service. And then
finally, activating your users.
00:19:46.240 --> 00:19:50.010
I'm not going to dig into the activating
as much. Rich is going
00:19:50.060 --> 00:19:53.700
to get more into all the implications
of that. But for now,
00:19:53.750 --> 00:19:59.220
what I'd like to do is give you a
quick demo of what that DirSync
00:19:59.480 --> 00:20:02.730
kind of process looks like, and
what is the... I'm sorry, not
00:20:02.780 --> 00:20:05.440
the DirSync, but the verification
of the domain and the import
00:20:05.490 --> 00:20:08.210
of the users process look like.
So I'm going to snap so that
00:20:08.740 --> 00:20:13.800
right now. So let me pull
this up here. Okay.
00:20:13.850 --> 00:20:15.310
>> You have to skip on
to presentation.
00:20:16.480 --> 00:20:21.250
>> Oh. I have to exit
in slide show?
00:20:25.040 --> 00:20:30.660
Okay. We're getting
there. All right.
00:20:31.500 --> 00:20:35.540
There we are. Okay. So I've logged
in to this Windows Intune
00:20:35.590 --> 00:20:41.660
account, and the first off, this is
the base administrator portal,
00:20:41.960 --> 00:20:46.220
and when we first log in, when we
look at our domains, this is
00:20:46.270 --> 00:20:50.900
where you would go to add a domain.
Now, what I can do is click
00:20:50.950 --> 00:20:55.620
on add, and when I specify domain,
I can put in really, honestly,
00:20:55.670 --> 00:20:58.000
whatever I want here.
So if I want to say
00:20:59.400 --> 00:21:03.730
ilovewindowsintune.com,
or maybe like
00:21:05.310 --> 00:21:09.540
richardisanintuneguru.com or whatever
I want to put in, I can
00:21:09.590 --> 00:21:15.960
click next, and then what it has
for me is this, hey, create
00:21:16.010 --> 00:21:19.120
a text record. Right. There's a
few different methods that you
00:21:19.170 --> 00:21:22.770
can put... choose here. You can do
an MX or a text. I recommend text.
00:21:23.310 --> 00:21:26.180
Just a little easier, a little more
reliable for verification.
00:21:26.770 --> 00:21:31.820
But at your... wherever your public
facing is for, in this case,
00:21:31.870 --> 00:21:37.060
I have ilovewindowsintune.com, wherever
your public DNS facing
00:21:37.110 --> 00:21:41.310
servers are, you would need to
add in this record at the root
00:21:41.360 --> 00:21:45.020
MS equals. And yes, you do have
to put MS equals into that and
00:21:45.070 --> 00:21:46.240
with that TTL [Indiscernible].
00:21:46.290 --> 00:21:51.400
Once you do that, you can click on
verify and, of course, I don't
00:21:51.450 --> 00:21:55.590
have ilovewindowsintune.com verified,
but once you click on verify,
00:21:55.640 --> 00:21:59.080
then that domain name becomes available
inside of your domain.
00:21:59.130 --> 00:22:00.090
So if I click on...
00:22:00.900 --> 00:22:02.820
and if you click on cancel through
this wizard, you can come
00:22:02.870 --> 00:22:05.720
back to it. There's no harm in
that. But you'll notice here
00:22:05.770 --> 00:22:11.850
there's ilovewindowsintune.com in
this list, and, you know, that's
00:22:11.900 --> 00:22:14.400
what you would need in order to
add users. Once you verify the
00:22:14.450 --> 00:22:18.950
domain, then what you can do is
once you go to add users, if
00:22:19.000 --> 00:22:22.720
I go to create a new user, you would
see in this dropdown list
00:22:22.770 --> 00:22:25.390
the other domains that you verified
in the list to be able to
00:22:25.440 --> 00:22:29.250
add users with yourcompany.com
or whatever your... you know,
00:22:29.300 --> 00:22:31.090
whatever the domain name
is that you own.
00:22:32.810 --> 00:22:35.410
But most of you probably, if you've
got a larger organization,
00:22:35.460 --> 00:22:40.550
you probably don't want to have to,
you know, create 50 users manually.
00:22:40.600 --> 00:22:43.510
And, of course, we give you an option
for that. So in this case,
00:22:43.560 --> 00:22:44.620
we have a bulk add.
00:22:45.620 --> 00:22:50.090
When we look at the bulk add, you'll
notice there is some sample
00:22:50.140 --> 00:22:53.560
CSV template files. Now, in this
case, I've already downloaded
00:22:53.610 --> 00:22:57.050
this template using the base user.
So if you look here, this
00:22:57.100 --> 00:23:00.540
is the template that downloads. It's
just got some simple sample
00:23:00.590 --> 00:23:03.190
users here, five different
sample users, and
00:23:04.400 --> 00:23:07.140
what you would need to do, if you
wanted to use the same template,
00:23:07.190 --> 00:23:09.880
is change... all you need to do
is change the domain name that
00:23:09.930 --> 00:23:11.590
you have here for this...
00:23:12.170 --> 00:23:12.930
for this...
00:23:13.460 --> 00:23:19.390
for this user, right. So contoso.com,
when we look at this,
00:23:20.660 --> 00:23:25.080
I've updated that to be ContosoCF.OnMicrosoft.com.
00:23:26.130 --> 00:23:29.290
But if this was iloveintune.com and
that was verified, we'd just
00:23:29.340 --> 00:23:33.720
add that into that list. And
when we go to import this,
00:23:35.470 --> 00:23:40.520
we go down and do the Contoso
CSV, click on next.
00:23:41.250 --> 00:23:45.320
Now, I intentionally made a typo
in my file, and I wanted to
00:23:45.370 --> 00:23:48.690
bring that up because when you see
this here, you see that users
00:23:48.740 --> 00:23:52.070
pass the verification and one was
four. When you view the errors,
00:23:52.120 --> 00:23:54.040
you'll notice that the user name
isn't valid. So you see here
00:23:54.090 --> 00:23:57.440
there's CF1. I put a 1 in there
because I don't own that domain
00:23:57.490 --> 00:24:01.440
name, right. If I had... furthermore,
if I had ilovewindowsintune.com
00:24:01.520 --> 00:24:04.270
before it was verified, it would also
give me a failure for that user.
00:24:04.950 --> 00:24:09.210
So that's verification, and that's
the manual import. So now
00:24:09.260 --> 00:24:12.870
I'm going to snap back to my slides
and we're going to dig into
00:24:12.920 --> 00:24:15.250
the next scenario, which is the
directory synchronization.
00:24:19.930 --> 00:24:21.740
Give me one second here.
00:24:23.360 --> 00:24:33.320
Okay. How's the questions
coming there?
00:24:33.370 --> 00:24:35.960
>> Yeah, we're getting a few
of them at the moment.
00:24:36.010 --> 00:24:41.640
So one question here, do you need an
SSL certificate to set this up?
00:24:42.600 --> 00:24:45.690
>> No. Yeah, so you do not... so
far, everything we've talked
00:24:45.740 --> 00:24:48.460
about so far, you do not need
an SSL certificate. Now, when
00:24:48.510 --> 00:24:52.780
we get to federated, then that's
a different story. And we'll
00:24:52.830 --> 00:24:56.390
talk about that as we dig into that
scenario. But for just DirSync
00:24:56.440 --> 00:24:59.060
or just for cloud only, you need
no certificates at all.
00:25:00.090 --> 00:25:04.540
Okay. So DirSync. This is the overall
process for the Directory
00:25:04.590 --> 00:25:07.800
Synchronization Tool, and I'm going
to show this in demo so I'm
00:25:07.850 --> 00:25:10.600
not going to dig into all of these
steps, but this is roughly
00:25:10.650 --> 00:25:14.860
the steps that you would run. We
don't dig into the Office 365
00:25:14.910 --> 00:25:18.210
Deployment Readiness Tool here, but
I will once we get into AD FS.
00:25:18.260 --> 00:25:23.510
And I think we're just going to
go to a simulation now which
00:25:23.560 --> 00:25:27.300
walks through the steps of configuring
DirSync. Now, the reason
00:25:27.350 --> 00:25:29.770
why I'm doing the simulation, instead
of a live demo, is because
00:25:29.820 --> 00:25:34.890
DirSync is a one-time process.
So, you know, me sitting here,
00:25:34.940 --> 00:25:37.690
you don't want to wait for, you
know, at least in my timing,
00:25:37.740 --> 00:25:40.500
like two and a half to three minutes
in an automated way, like
00:25:40.550 --> 00:25:43.020
when I had this script that I have.
You know, you don't want
00:25:43.070 --> 00:25:45.400
to watch me waiting for the tool
to install and all those things.
00:25:45.450 --> 00:25:48.450
So in the interest of time, and
the interest of the fact that
00:25:48.500 --> 00:25:51.050
it is a one-time operation, we're
going to go show you a simulation
00:25:51.330 --> 00:25:54.960
of this process. Okay.
So let me go to
00:25:56.970 --> 00:26:01.100
my desktop here once the synchronization
comes across.
00:26:08.550 --> 00:26:11.490
Okay. So here we
are. This is my
00:26:13.030 --> 00:26:14.160
Windows Intune,
00:26:16.190 --> 00:26:21.790
and when we go into this console,
what you'll see is we'll scroll
00:26:21.840 --> 00:26:24.820
down to underneath the domains.
00:26:25.490 --> 00:26:29.660
So we go under domains. You go to
Active Directory synchronization.
00:26:29.710 --> 00:26:30.340
Set up.
00:26:30.990 --> 00:26:35.160
When you scroll down, you need to
activate, first of all, activate
00:26:35.210 --> 00:26:37.990
Active Directory synchronization.
And this is more of a back-end
00:26:38.040 --> 00:26:42.870
process or scenario that happens
to kind of tell the Windows
00:26:42.920 --> 00:26:45.440
Azure AD service to say hey, I'm
going to be waiting. I'm going
00:26:45.490 --> 00:26:49.010
to be preparing for somebody to
synchronize with this database.
00:26:49.060 --> 00:26:52.120
You click activate, are you sure
you want to activate it?
00:26:52.170 --> 00:26:52.920
Yes, I do.
00:26:54.200 --> 00:26:55.310
Now it's activated.
00:26:56.520 --> 00:26:57.660
And next...
00:26:57.710 --> 00:27:01.330
>> So this is where real life diverges
from the simulation for
00:27:01.380 --> 00:27:02.240
the sake of time.
00:27:02.290 --> 00:27:02.460
>> Yep.
00:27:02.510 --> 00:27:05.140
>> The activation process to actually
get it to come through can
00:27:05.190 --> 00:27:10.340
take, on the quick side, some 10,
15 minutes. On the outside,
00:27:10.390 --> 00:27:13.260
I think it's several hours. So
you want to make sure you have
00:27:13.310 --> 00:27:14.270
that ready to go.
00:27:14.320 --> 00:27:19.000
>> Yep, yep. And then after that
then it's now downloading and
00:27:19.050 --> 00:27:22.300
installing the DirSync tool or the
Directory Synchronization Tool.
00:27:22.350 --> 00:27:24.520
We click download on that,
00:27:26.060 --> 00:27:30.030
and after we download it, we're
going to snap to the machine
00:27:30.080 --> 00:27:32.500
we're going to install DirSync
on. Now, again, DirSync needs
00:27:32.550 --> 00:27:37.110
to be on not a domain controller
and it needs to be joined to
00:27:37.160 --> 00:27:42.240
the domain. So we click on next, we're
going to specify the online
00:27:42.290 --> 00:27:45.720
services global administrator account.
Again, that's your OnMicrosoft.com
00:27:45.770 --> 00:27:48.610
ID, probably the one that you did,
you had when you first signed
00:27:48.660 --> 00:27:49.790
up for your account.
00:27:51.140 --> 00:27:51.890
Click next.
00:27:52.510 --> 00:27:55.340
Then we're going to put the enterprise
administrator credentials.
00:27:55.390 --> 00:27:58.910
Now, the enterprise credentials
for your domain are not going
00:27:58.960 --> 00:28:03.380
to be used for anything other than
creating a synchronization
00:28:03.430 --> 00:28:06.900
account, and then that account,
that synchronization account
00:28:06.950 --> 00:28:08.170
will be used after that.
00:28:08.840 --> 00:28:10.950
Then you have the hybrid deployment.
If you've got Exchange
00:28:11.000 --> 00:28:14.330
on-premise, you're going to want
to enable this and, you know,
00:28:14.380 --> 00:28:18.250
digging into all the caveats of
hybrid deployment are beyond
00:28:18.300 --> 00:28:20.690
kind of what we're covering in
the scope of this module, but
00:28:20.740 --> 00:28:24.970
that's what you need to configure
with the DirSync module there.
00:28:25.020 --> 00:28:28.020
You click next and configure. This
obviously is a lot quicker
00:28:28.070 --> 00:28:32.640
because it's a sim. This takes a few
minutes to download and install.
00:28:32.960 --> 00:28:36.180
Then once you click finish, it's going
to synchronize the directory.
00:28:36.230 --> 00:28:40.600
Now, this, if you want to synchronize
the directory later, you
00:28:40.650 --> 00:28:43.560
would need to use a PowerShell command
to go in and, you know,
00:28:43.610 --> 00:28:47.420
start online coexistence. I think,
if I... I looked at Richard's
00:28:47.470 --> 00:28:50.280
blog earlier. I'll have
to admit that.
00:28:51.010 --> 00:28:53.760
I did scroll through the latest
posts and I saw that you had...
00:28:53.810 --> 00:28:56.340
you actually had the command to
you know, to synchronize that
00:28:56.390 --> 00:29:00.080
up via PowerShell. So there's a
way to do that. And if you want
00:29:00.130 --> 00:29:02.650
to verify that, there's some event
logs that say hey, this has
00:29:02.700 --> 00:29:06.510
been synchronized. After that's
done, right, when you go into
00:29:06.560 --> 00:29:07.600
this console, you can...
00:29:08.450 --> 00:29:13.170
you'll see that these users here are
synchronized up to the console.
00:29:13.220 --> 00:29:16.800
Now, if you have not registered
your on-premise domain name,
00:29:16.850 --> 00:29:19.060
it's just going to default
to the OnMicrosoft.com.
00:29:19.720 --> 00:29:22.490
Like you haven't verified what
your on-prem domain is, it is
00:29:22.540 --> 00:29:27.680
just show the same user names
but put them in this format.
00:29:28.170 --> 00:29:31.180
Okay. With that, I think that's
really the DirSync process.
00:29:31.230 --> 00:29:34.620
It's not too extremely tough. But,
again, just going through
00:29:34.670 --> 00:29:36.810
these steps you're going to have
two separate set of passwords.
00:29:36.860 --> 00:29:39.050
And you'd have to activate the
users and then have them have
00:29:39.100 --> 00:29:44.050
a separate set of passwords for both
of those different accounts.
00:29:44.840 --> 00:29:48.570
So I'm going to go back to the third
scenario now, which is the
00:29:48.620 --> 00:29:52.640
federation and the single sign-on.
So let me go back to our
00:29:52.690 --> 00:29:55.520
slides and
00:29:57.250 --> 00:29:58.010
pull that up.
00:30:02.770 --> 00:30:05.680
>> So while you're doing that, we've
got a quick question here
00:30:05.730 --> 00:30:08.680
that's talking about Directory
Synchronization. Does it allow
00:30:08.730 --> 00:30:10.490
selective OU replication.
00:30:10.810 --> 00:30:11.060
>> Okay.
00:30:11.110 --> 00:30:11.950
>> At this point.
00:30:12.000 --> 00:30:16.520
>> Yes, yes. That is... I have an
appendix slide specifically
00:30:16.570 --> 00:30:19.190
on that one. I was prepared for
that one. There is a way with
00:30:19.240 --> 00:30:24.350
the DirSync tool to limit the OU or
specific accounts. It's Directory
00:30:24.400 --> 00:30:27.500
Synchronization filtering. There's
a link on that, a public article
00:30:27.550 --> 00:30:30.350
on how to do that. You cannot get
down to the attribute level
00:30:30.400 --> 00:30:33.050
so you can't say I only want part
of the attributes of a single
00:30:33.100 --> 00:30:36.190
account, but you can do the OU.
You can do, you know, selective
00:30:36.240 --> 00:30:38.650
accounts within your directory.
00:30:38.930 --> 00:30:40.410
>> Yep. Good. Thank you.
00:30:40.460 --> 00:30:42.440
>> Yep. Let's see.
00:30:42.490 --> 00:30:47.160
So I want to get into... bring
up the architecture side.
00:30:47.210 --> 00:30:48.970
I'm got to explain all the other
things that were already done,
00:30:49.020 --> 00:30:53.270
but I just want to point out this
middle scenario here, the blue.
00:30:53.320 --> 00:30:56.470
The server's in blue. Now, there's
a lot of different ways that
00:30:56.520 --> 00:30:59.750
you can do this, that you can architect
the solution. In this
00:30:59.800 --> 00:31:03.590
case, we have, it looks like, four
servers. You don't necessarily
00:31:03.640 --> 00:31:06.270
need four servers in order
to make this all work.
00:31:07.380 --> 00:31:12.000
Technically, all you need to just
make all the functionality
00:31:12.050 --> 00:31:15.090
work is a single AD FS server.
00:31:16.020 --> 00:31:18.890
In this case, let's say a member
server that has DirSync on it.
00:31:19.730 --> 00:31:22.340
That one server and your on-premise
Active Directory, if you
00:31:22.390 --> 00:31:26.400
publish from the outside, so if
we publish, let's say we only
00:31:26.450 --> 00:31:30.290
had one server. If we published
that authentication back into
00:31:30.340 --> 00:31:34.840
just this box and we, let's say,
didn't have that, then that
00:31:34.890 --> 00:31:35.970
would technically work.
00:31:36.640 --> 00:31:41.090
Now, the problem with that, though,
is that if that goes down,
00:31:41.140 --> 00:31:46.190
or if that breaks, now people can't
sign in, right? And so you've
00:31:46.240 --> 00:31:49.650
created now this dependency with
AD FS that you rely on, let's
00:31:49.700 --> 00:31:54.700
say, a single VM or a single box.
So with that in mind, we have
00:31:54.750 --> 00:31:58.310
the scaleability planning, right.
And all of this really, it's
00:31:58.360 --> 00:32:01.510
kind of multiple factors. It hinges
on a couple of variables.
00:32:01.560 --> 00:32:04.310
One is how many users do you have,
because there's naturally
00:32:04.360 --> 00:32:08.470
going to be a traffic load associated
with the amount of authentications
00:32:08.520 --> 00:32:10.640
and users that are coming in
to the environment, right.
00:32:11.320 --> 00:32:16.130
And in the less than a thousand year
department, we say don't even...
00:32:16.180 --> 00:32:19.130
you don't even necessarily need
to add another server. We say
00:32:19.180 --> 00:32:22.960
just get on... just add AD FS
to your existing DCs. I would
00:32:23.010 --> 00:32:25.660
say the caveat there is that you
would need to have DirSync on
00:32:25.710 --> 00:32:28.340
a separate box so it doesn't really...
doesn't really highlight
00:32:28.390 --> 00:32:31.600
that in that scenario. But as you
can see here, there's a lot
00:32:31.650 --> 00:32:35.290
of different scenarios or ways
to architect this. And it kind
00:32:35.340 --> 00:32:38.710
of depends on your environment,
right.
00:32:38.760 --> 00:32:39.260
>> Right.
00:32:39.790 --> 00:32:42.010
>> So there's an article at the bottom
there, if you want to dig
00:32:42.060 --> 00:32:45.240
more into the high availability
and scaleability planning.
00:32:45.740 --> 00:32:50.210
But with that, I want to make sure
I have some time to dig into
00:32:50.260 --> 00:32:52.130
the how and the...
00:32:52.180 --> 00:32:57.120
the how to go through all this
process. Now, I will say that
00:32:57.170 --> 00:32:59.900
right now, if you go trying to
search on how to do this, it's
00:32:59.950 --> 00:33:03.540
very scary. There's some documentation
that's out there that
00:33:03.590 --> 00:33:07.800
says you need to hire consultants
and, you know, you need to
00:33:07.850 --> 00:33:10.950
have a project plan, all these things.
Now, if you've got multiple
00:33:11.000 --> 00:33:13.780
forests and you've got all kinds
of crazy directories, well,
00:33:13.830 --> 00:33:16.970
yeah, that might be the case. But if
you're a single forest scenario,
00:33:17.020 --> 00:33:20.140
even with multiple domains inside
of a single forest, it's actually
00:33:20.190 --> 00:33:23.690
not too bad. It's not too complex.
And what I've done is I've
00:33:23.740 --> 00:33:26.410
created a process to automate this
so I'm going to show you in
00:33:26.460 --> 00:33:30.440
a demo. But effectively, right,
you're going to add the domain
00:33:30.490 --> 00:33:34.340
to Windows Azure AD. You're going to
enable the Directory Synchronization
00:33:34.390 --> 00:33:36.270
so that's that process
that takes a while.
00:33:36.920 --> 00:33:39.930
You're going to install and configure
the AD FS server itself.
00:33:40.470 --> 00:33:43.700
That includes DirSync on that server.
00:33:44.260 --> 00:33:47.300
And then you're going to, you know,
if you so desire to have
00:33:47.350 --> 00:33:49.970
an AD FS proxy... now, the reason
why a lot of times we see a
00:33:50.020 --> 00:33:53.000
proxy is because that proxy is joined
to a work group. It adds
00:33:53.050 --> 00:33:56.150
you an additional layer of protection,
a security protection,
00:33:56.200 --> 00:33:59.580
because that it going to be your
front-facing box. It's going
00:33:59.630 --> 00:34:03.040
to handle and offset some of the
load to your core AD FS boxes.
00:34:03.090 --> 00:34:06.310
So there's a number of reasons why you
might want to use a proxy, right.
00:34:06.360 --> 00:34:09.050
I put optional just because, I mean,
like you saw in the earlier
00:34:09.100 --> 00:34:12.670
slide, just from the NLB guidance,
you know, there is no proxy
00:34:12.720 --> 00:34:15.180
servers in the less than a thousand
users. But it's really up
00:34:15.230 --> 00:34:16.970
to you, right? I mean there's no
reason why, if you're less than
00:34:17.020 --> 00:34:19.120
a thousand, you might not
have a proxy. You might.
00:34:19.900 --> 00:34:22.490
After that, you need to figure that
inbound SSL access to either
00:34:22.540 --> 00:34:25.200
your proxy or to your AD FS server.
00:34:25.910 --> 00:34:28.670
And then after that, you're going
to finish configuring the AD
00:34:28.720 --> 00:34:31.950
FS, the federation support in the
domain and then install...
00:34:32.000 --> 00:34:35.230
finally, install and configure the
DirSync tool. So again, this
00:34:35.280 --> 00:34:37.700
is important to know, you know,
back to which scenario are you
00:34:37.750 --> 00:34:39.950
going to do. It's important to know
are you going to do DirSync,
00:34:40.280 --> 00:34:43.000
or are you going to do federation?
Because if you do federation,
00:34:43.050 --> 00:34:46.240
right, you need to wait to do that
DirSync after you do all these
00:34:46.290 --> 00:34:48.610
federation steps, and there's some
things in there that are going
00:34:48.660 --> 00:34:49.580
to be different.
00:34:50.250 --> 00:34:54.910
So with that, I'm going to go to
a demo of walking through a...
00:34:54.960 --> 00:34:58.900
the quick start guide that I've
configured, and this is new.
00:34:58.950 --> 00:35:00.940
A lot of you have never heard of
this or never seen this, but
00:35:00.990 --> 00:35:06.600
it's going to be released very soon,
and so what I'll be doing
00:35:06.650 --> 00:35:11.120
is walking through a video of configuring
an AD FS and DirSync
00:35:11.170 --> 00:35:16.060
server inside of your domain. So
let's dig into that right now.
00:35:19.680 --> 00:35:23.080
>> And I have to say I did read
through your guide last week,
00:35:23.130 --> 00:35:26.790
and I'm very impressed. You've
taken what really scared me in
00:35:26.840 --> 00:35:29.740
terms of a process and turned it into
something that's very accessible.
00:35:29.790 --> 00:35:33.920
So I strongly recommend reading
it. It takes a lot of the fear
00:35:33.970 --> 00:35:36.980
out of this and actually explains
in nice, clear terms the steps
00:35:37.030 --> 00:35:39.610
you need to go through and
automate a lot of them.
00:35:39.660 --> 00:35:42.640
>> Yeah, yeah. It's... I mean, where
it used to be this I need
00:35:42.690 --> 00:35:45.700
to hire a consultant, I wanted to
get it to let's do it in under
00:35:45.750 --> 00:35:49.140
an hour. Let's just get the whole
thing done in under an hour,
00:35:49.190 --> 00:35:52.940
and as you'll see with my timing,
even with just this AD FS server,
00:35:52.990 --> 00:35:57.600
we're going to finish the AD FS
server in about 15 minutes, the
00:35:57.650 --> 00:35:58.300
whole thing.
00:35:59.430 --> 00:36:05.030
So this is the guide that I've got
a link to it in one of my slides.
00:36:05.640 --> 00:36:07.890
ITproguide.com is the new blog
that I have. I'll be posting
00:36:07.940 --> 00:36:11.470
as soon as it's publicly available.
You bet I will be posting
00:36:11.520 --> 00:36:13.770
about it. This is something that
I've been working on for at
00:36:13.820 --> 00:36:18.540
least six months now because I was
frustrated with the complexity.
00:36:18.590 --> 00:36:21.430
I was frustrated with the fact
that we all need this, right.
00:36:21.480 --> 00:36:24.770
I mean, there's a huge need for
this scenario. So the guide
00:36:24.820 --> 00:36:28.010
will come along with these steps.
So when I go through this
00:36:28.060 --> 00:36:31.640
video here, this corresponds to
this guide so when you look at
00:36:31.690 --> 00:36:35.460
this guide, it has the different
steps that are here. So this
00:36:35.510 --> 00:36:37.600
PowerShell command is not blind.
You don't have to just download
00:36:37.650 --> 00:36:39.950
the PowerShell and just hope everything
works. There's additional
00:36:40.000 --> 00:36:41.930
guidance here, but I'm going to
kind of walk you through that
00:36:41.980 --> 00:36:47.630
as we get into this video. So the first
step, you need an SCCM box...
00:36:48.540 --> 00:36:53.930
I'm sorry, not SCCM box. You need
a Windows Server 2012 machine
00:36:54.300 --> 00:36:58.410
that is joined to the domain. That's
it. That's your baseline.
00:36:58.820 --> 00:37:01.600
Okay, that's where we're at. So
this is going to be our AD FS
00:37:01.650 --> 00:37:04.530
server and DirSync server. Remember,
I mentioned earlier in the
00:37:04.580 --> 00:37:07.960
architecture that that's all we need
to make all the functionality
00:37:08.010 --> 00:37:10.950
work inside of your
domain. So here,
00:37:12.160 --> 00:37:15.490
we're joined to contoso.com, and
one of the first things that
00:37:15.540 --> 00:37:19.280
we need to do is to turn off enhanced...
00:37:19.940 --> 00:37:22.390
IE enhanced security configuration,
and that's because this tool
00:37:22.440 --> 00:37:25.890
installs software. So the PowerShell
command installs your prerequisite
00:37:25.940 --> 00:37:28.270
software, and you need to make sure
it's off for administrators
00:37:28.320 --> 00:37:31.260
and users. You cannot turn it off,
although the script will do
00:37:31.310 --> 00:37:33.890
it for you, and you'll have the
Explorer close and then reopen
00:37:33.940 --> 00:37:37.180
on you. If you don't want that to happen,
you should do that beforehand.
00:37:39.240 --> 00:37:42.170
This is the tool, right. So I scrolled
up so you can see the
00:37:42.220 --> 00:37:44.680
top of the tool. It gives you all
these options which are going
00:37:44.730 --> 00:37:46.820
to be walked through in the guide.
The first thing you need
00:37:46.870 --> 00:37:51.280
to do is install the Microsoft online
services sign-in assistant.
00:37:51.330 --> 00:37:54.060
So you'll see there, that was very
fast. You might have missed
00:37:54.110 --> 00:37:56.630
it, but it already installed the sign-in
assistant. It is that fast.
00:37:56.680 --> 00:37:58.190
This is real time.
00:37:58.700 --> 00:38:02.900
Then we need to install the PowerShell
module. So let me pause
00:38:02.950 --> 00:38:06.500
here, because this is going so
fast, I kind of need to pause.
00:38:06.550 --> 00:38:09.300
So what just happened is we installed
the prerequisite tools
00:38:12.830 --> 00:38:16.120
for the online services module
for PowerShell, because that's
00:38:16.170 --> 00:38:19.210
what allows us to do this configuration
using PowerShell and
00:38:19.260 --> 00:38:23.420
do some things, configure them
up in the cloud. After that,
00:38:23.470 --> 00:38:28.580
we're going to then go into
using the office 360...
00:38:28.630 --> 00:38:32.290
downloading and installing the Microsoft
Office 365 deployment
00:38:32.340 --> 00:38:36.030
readiness tool. And the reason that
we're doing that is because
00:38:36.410 --> 00:38:39.060
you could have some issues inside
of your Active Directory.
00:38:39.110 --> 00:38:42.370
Right now, you could have, you know,
accounts that aren't going
00:38:42.420 --> 00:38:44.960
to synchronize. You could have
a number of issues. This does
00:38:45.010 --> 00:38:48.800
a ton of different checks, and
this, in my testing, did...
00:38:48.850 --> 00:38:51.220
it took about four and a half minutes.
So I'm sparing you from
00:38:51.270 --> 00:38:54.320
four and a half minutes, but I
am going to show you a little
00:38:54.370 --> 00:38:57.920
bit more of the guide here
after it was done.
00:38:58.650 --> 00:39:00.670
Just so you can get an idea of some
of the types of things that
00:39:00.720 --> 00:39:03.320
are inside this guide. You would
definitely want to fix kind
00:39:03.370 --> 00:39:09.000
of your home base first, before
you go forward with this entire
00:39:09.050 --> 00:39:11.690
process and kind of fix it up front.
00:39:12.270 --> 00:39:15.910
So it shows you here the number
of accounts that are there, the
00:39:15.960 --> 00:39:19.760
number of trusts that you have inside
the domain. It says, hey,
00:39:19.810 --> 00:39:21.970
you're not prepared for hybrid
deployment if you're thinking
00:39:22.020 --> 00:39:23.010
about doing that.
00:39:23.960 --> 00:39:27.560
You know, it has a lot of different
things. Now, some of these
00:39:27.610 --> 00:39:30.200
may or may not be really an issue.
It says issue discovered, right.
00:39:30.250 --> 00:39:32.980
For instance, the hybrid deployment's
not enabled. That's not
00:39:33.030 --> 00:39:35.890
really an issue, right, if you're
not going to a hybrid deployment.
00:39:36.380 --> 00:39:39.800
It also says hey, there's groups
without a display name so those
00:39:39.850 --> 00:39:42.980
aren't going to synchronize. This gives
you a lot of useful information
00:39:43.380 --> 00:39:46.170
before you go forward with the
full process. Next up, we're
00:39:46.220 --> 00:39:50.080
going to add a local UPN suffix
as domain in Windows Azure AD.
00:39:50.130 --> 00:39:52.890
This would be the same thing as
the equivalent of adding that
00:39:52.940 --> 00:39:57.660
domain in the console, right. When
I add ilovewindowsintune.com,
00:39:58.600 --> 00:40:02.490
this is doing a similar thing. Essentially,
the same thing with
00:40:02.540 --> 00:40:03.700
the exception of...
00:40:04.870 --> 00:40:08.230
with the exception of that when
we add this domain, we're going
00:40:08.280 --> 00:40:11.570
to add the domain as federated,
and that's one big thing to...
00:40:11.620 --> 00:40:14.990
one big difference between the DirSync
only and the federated mode.
00:40:15.690 --> 00:40:19.560
Behind the covers or under the
covers, all right, there is
00:40:20.790 --> 00:40:25.510
this scenario of it is adding a federated
domain instead of managed.
00:40:25.560 --> 00:40:29.430
You're not going to see that in the
UI of Windows Intune at all.
00:40:29.480 --> 00:40:33.400
And so here, I've added my custom domain
name, christianboarder.com,
00:40:33.460 --> 00:40:36.690
and it's not verified yet, but it's
being added as federated, right.
00:40:36.740 --> 00:40:40.130
And so the reason why we did this
up front is because, you know,
00:40:40.180 --> 00:40:43.580
takes some time to add that public
record and to be able to get
00:40:43.630 --> 00:40:46.720
that to be able to potentially
be verified.
00:40:47.720 --> 00:40:48.990
So we add that up there.
00:40:49.630 --> 00:40:52.640
And then next, what we're
going to do, and
00:40:54.550 --> 00:40:58.750
I'm just showing this... showing
you the option in the cloud
00:40:58.800 --> 00:41:01.080
as well so it can see how it showed
up inside the console, so
00:41:01.130 --> 00:41:03.650
you can see there christianboarder.com
also popped up in the
00:41:03.700 --> 00:41:06.480
console using that PowerShell
command, right.
00:41:07.190 --> 00:41:10.160
And there's... like I said, there's
nothing there that says that
00:41:10.210 --> 00:41:13.290
it's managed for federated. And,
in fact, you don't even have
00:41:13.340 --> 00:41:17.730
the MS ID there that the... for
the text record that you need
00:41:17.780 --> 00:41:18.200
to add.
00:41:19.210 --> 00:41:22.690
So next we enabled DirSync. Remember
earlier, that was the thing
00:41:22.740 --> 00:41:24.700
we clicked on activate
on the previous step.
00:41:25.440 --> 00:41:28.690
So so far, we're at, first steps,
we're at about seven minutes
00:41:28.740 --> 00:41:31.750
because about, I guess, five and
a half or so... four and a
00:41:31.800 --> 00:41:34.490
half or five and a half for the
Office 365 readiness to run.
00:41:36.560 --> 00:41:40.840
Then next up, we're going to be
configuring or adding the AD
00:41:40.890 --> 00:41:43.330
FS role to the server. One of the
nice things about this script
00:41:43.380 --> 00:41:46.830
is that it goes ahead and just adds
any PowerShell commands or
00:41:46.880 --> 00:41:50.870
any .NET frameworks or any things
that you node to do automatically
00:41:50.920 --> 00:41:53.070
in the background. So you don't really
have to worry about that.
00:41:53.120 --> 00:41:55.580
But effectively right now, if you
were to do this via GUI, it
00:41:55.630 --> 00:41:58.430
would just be going to the server
manager, adding the role for
00:41:58.480 --> 00:41:59.380
AD FS.
00:42:00.450 --> 00:42:05.320
Next, we are creating a service
account for AD FS use. If you
00:42:05.370 --> 00:42:08.920
were to go through the wizard with
the manual creation of the
00:42:08.970 --> 00:42:11.400
AD FS service, you would have
to create a service account.
00:42:11.450 --> 00:42:14.190
So we're just allowing you to create
that automatically. So the
00:42:14.240 --> 00:42:17.400
service account is created, and
now we're creating an internal
00:42:17.450 --> 00:42:21.960
DNS entry for the farm name, because
that's also another thing
00:42:22.010 --> 00:42:23.780
you need to have done.
So that's finished.
00:42:25.220 --> 00:42:30.360
And then next up, and this is SSL
certificate. So here's where
00:42:30.410 --> 00:42:32.690
I should... I should pause, okay.
00:42:34.320 --> 00:42:37.900
Because the question was brought
up earlier, well, do we need
00:42:37.950 --> 00:42:39.200
to have a certificate or not.
00:42:39.970 --> 00:42:45.090
If you want this in production, you
definitely need a certificate.
00:42:45.340 --> 00:42:48.860
Now, in my case, what I've done
on my own personal one that I
00:42:48.910 --> 00:42:53.370
use, I bought a nine dollar SSL certificate.
00:42:53.980 --> 00:42:57.270
It was nine bucks. Obviously, not
very high quality. It's the
00:42:57.320 --> 00:42:59.250
lowest bar that you could
possibly find.
00:43:00.830 --> 00:43:04.050
But yeah, that was, you know, that
was what I did. And I used
00:43:04.100 --> 00:43:10.330
that with AD FS and it worked, right.
Now can you get away using
00:43:10.380 --> 00:43:13.250
this private certificate, which it does
create by default? Well, sure.
00:43:13.300 --> 00:43:16.300
If you're in a demo, if you're
in a test environment, you can
00:43:16.350 --> 00:43:21.600
use the automatically created self-sign
certificate and things
00:43:21.650 --> 00:43:24.770
will work, assuming you add that
certificate to whatever clients
00:43:24.820 --> 00:43:29.480
that you want to authenticate, right.
So AD FS, you know, will
00:43:29.530 --> 00:43:32.310
still work. You'll still be able
to authenticate, but there will
00:43:32.360 --> 00:43:36.190
be some warnings, right, in regards
to, hey, this certificate's
00:43:36.240 --> 00:43:38.480
not working or you'd have to add
that certificate to your trusted
00:43:38.530 --> 00:43:43.660
authority list. There's more to that
in the documentation about this.
00:43:43.710 --> 00:43:45.670
If you're going to import your
own certificate here, which we
00:43:45.720 --> 00:43:48.430
allow that, you'd just need to
make sure the friendly name is
00:43:48.480 --> 00:43:52.750
specified with the AD to AD quick
start name, and then that way,
00:43:52.800 --> 00:43:55.060
this PowerShell command will pick
up that certificate and say,
00:43:55.110 --> 00:43:57.710
oh, it's already there, and your
public certificate will be used
00:43:57.760 --> 00:44:02.370
for configuration. The goal of
this script was that not only
00:44:02.420 --> 00:44:05.070
is it just quick for demo environments,
but that it is a solid
00:44:05.120 --> 00:44:08.270
foundation for if you want to move
towards production. So you
00:44:08.320 --> 00:44:11.750
go through all this effort here,
you're set up to, you know,
00:44:11.800 --> 00:44:15.390
you have a farm, a single server
farm. You have a proxy, a single
00:44:15.440 --> 00:44:17.970
server proxy, which you can add
to a proxy farm. You kind of
00:44:18.020 --> 00:44:21.880
got a great foundation there to
move forward, right. So you
00:44:21.930 --> 00:44:24.920
see there, there's the two certificates
that it automatically created.
00:44:24.970 --> 00:44:27.730
It will, by default, just put that
wherever it is on your desktop
00:44:28.280 --> 00:44:31.100
or wherever you're running the menu
or the PowerShell script from.
00:44:32.480 --> 00:44:37.690
And then next up, we are configuring
AD FS. It remembered our
00:44:37.740 --> 00:44:41.010
credentials for the service we had
earlier, and it goes through
00:44:41.060 --> 00:44:42.920
this whole process.
And this is...
00:44:43.800 --> 00:44:47.520
this was about 30 seconds for me.
So for you to go through the
00:44:47.570 --> 00:44:51.740
wizard even clicking through in that
amount of time is not very likely.
00:44:51.790 --> 00:44:55.350
So this is all using PowerShell
of configuring the AD FS rule
00:44:55.880 --> 00:44:57.160
and that's done.
00:44:58.410 --> 00:45:01.440
Finally, we're going to make sure that
you have the 443 port opened.
00:45:01.490 --> 00:45:03.770
Even if you're using a proxy, you're
still going to need to have
00:45:03.820 --> 00:45:08.640
the 443 port open for authentication
with AD FS. And then finally,
00:45:08.690 --> 00:45:12.240
we are going to launch the test
web pages. So these test web
00:45:12.290 --> 00:45:14.530
pages are just verifying that all
the steps you've done up to
00:45:14.580 --> 00:45:17.160
this point are working and
that AD FS is functional.
00:45:17.920 --> 00:45:20.920
So there's three different sites.
All that goop that's there
00:45:20.970 --> 00:45:23.960
on the page is a good thing. You
don't need to understand that,
00:45:24.010 --> 00:45:27.110
but the fact that all of that comes
up means that it's working.
00:45:27.580 --> 00:45:30.570
And if you want to do a test, you
know, you can sign in there
00:45:30.620 --> 00:45:36.060
with your credentials of a domain.
So so far, right, the part
00:45:36.110 --> 00:45:39.380
one of the AD FS server is configured,
just to kind of pause
00:45:39.430 --> 00:45:43.180
on this. We have about ten and a
half minutes. We've done, we've
00:45:43.230 --> 00:45:47.370
installed AD FS, configured AD FS,
got all the ports opened up,
00:45:47.420 --> 00:45:49.210
got everything configured up in
the cloud and now we're going
00:45:49.260 --> 00:45:53.550
to move to the second half, which is kind
of finishing up that configuration.
00:45:53.600 --> 00:45:56.340
At this point, if you wanted a proxy,
you could go through those
00:45:56.390 --> 00:45:57.860
15 through 21 steps.
00:45:58.480 --> 00:46:01.800
But in this case, I'm just going
to skip that and go to step
00:46:01.850 --> 00:46:07.470
22 to configure the rest of the AD
FS server. So here, we verified...
00:46:07.520 --> 00:46:10.640
now we verified our record. You
see there, you can specify your
00:46:10.690 --> 00:46:13.210
own DNS server or it can use the
default, and we've verified
00:46:13.260 --> 00:46:14.080
our record.
00:46:14.780 --> 00:46:17.050
And then if there are problems there,
it will let you know that
00:46:17.100 --> 00:46:20.740
the record's not available. We
then configure our connection
00:46:20.790 --> 00:46:21.370
up to...
00:46:22.610 --> 00:46:26.190
for AD FS. That's kind of doing
the final verification of the
00:46:26.240 --> 00:46:30.390
domains and the final steps of the
AD FS config. At this point,
00:46:30.440 --> 00:46:32.880
we're really, you know,
we're on step 24.
00:46:33.450 --> 00:46:36.060
We're almost... we're done almost
with the... we are done with
00:46:36.110 --> 00:46:39.170
the AD FS configuration, but now
we're creating a single sign-on
00:46:39.220 --> 00:46:43.410
user just to make sure that that's
going to work for our steps
00:46:43.460 --> 00:46:46.580
up to this point. And that goes
and creates a user using your
00:46:46.630 --> 00:46:50.130
domain name up in Windows Azure Active
Directory for you to test with.
00:46:51.570 --> 00:46:54.910
And then now we're to the point finally
where we get into DirSync.
00:46:55.270 --> 00:46:58.930
And with DirSync, you know, we
have the tool to automatically
00:46:58.980 --> 00:47:04.230
download it and install it. This,
you know, this does take a while.
00:47:04.280 --> 00:47:08.140
It's probably the second longest step
after the Office 365 configuration.
00:47:08.220 --> 00:47:11.670
And in this case, we are... at least
in my test I had the other
00:47:11.720 --> 00:47:14.210
day, it was at two and a half minutes
or so to download, install
00:47:14.260 --> 00:47:18.210
and do all that. You do need to
sign out here. So I'll have
00:47:18.260 --> 00:47:20.260
effectively signed out and signed
back in because there are new
00:47:20.310 --> 00:47:23.130
credentials that you're going to
use to configure the service,
00:47:23.180 --> 00:47:27.760
and that is necessary. So all signed
out, sign back in, and now
00:47:27.810 --> 00:47:30.250
we're going to go ahead through the
configuration. The permanent
00:47:30.300 --> 00:47:33.050
synch credentials, this is something
you're going to add another
00:47:33.100 --> 00:47:36.260
global administrator account using
your OnMicrosoft.com account,
00:47:36.310 --> 00:47:38.590
because this is what DirSync
will use to synchronize.
00:47:39.680 --> 00:47:41.750
So you do want to have a separate
account for that. And now
00:47:41.800 --> 00:47:44.200
this is going to use your local
Active Directory administrator
00:47:44.250 --> 00:47:46.540
account, and all that's going to
be doing is configuring that
00:47:46.590 --> 00:47:50.320
service that is used to...
for the DirSync tool.
00:47:51.640 --> 00:47:54.940
So resets that MSL LAD
account is the...
00:47:55.980 --> 00:47:59.340
was the account used for DirSync.
And we ran... it was really
00:47:59.390 --> 00:48:01.560
quick there, but we ran the verification
to make sure DirSync
00:48:01.610 --> 00:48:04.830
has happened. And as you can see
here, the export has completed,
00:48:04.880 --> 00:48:07.330
and the directory has
been synchronized.
00:48:07.620 --> 00:48:10.500
So a lot there.
00:48:11.150 --> 00:48:14.630
We've got, I guess, about a minute
left, but we have effectively
00:48:14.680 --> 00:48:18.660
configured an AD FS server from scratch,
right, on Windows Server
00:48:18.710 --> 00:48:22.110
2012 and configured DirSync. You've
got... at this point, you've
00:48:22.160 --> 00:48:25.700
got full federation and SSO, assuming
you've opened up your firewall
00:48:25.750 --> 00:48:30.210
ports externally to
go into that box.
00:48:31.360 --> 00:48:35.030
Everything should be working at
that point. But, you know, you
00:48:35.080 --> 00:48:36.810
may want to add that proxy and,
of course, you don't want to
00:48:36.860 --> 00:48:38.850
do this in production. Again, I'll
state that again, because
00:48:38.900 --> 00:48:43.030
that one box goes down, you know,
users are not going to be able
00:48:43.080 --> 00:48:47.670
to log in. But nonetheless, you
know, this is... this makes
00:48:47.720 --> 00:48:51.290
life a lot easier. And even... I
will say that one other thing
00:48:51.340 --> 00:48:55.510
I wanted to point out is even if
you do not have that external
00:48:55.560 --> 00:49:00.800
port open, maybe you've got that
firewall guy that is being a
00:49:00.850 --> 00:49:04.180
stickler, like I don't want to
open up SSL to some, you know,
00:49:04.230 --> 00:49:08.220
AD box, perhaps. Well, even inside,
what it... the clients that
00:49:08.270 --> 00:49:12.690
are inside and are domain joined,
those clients would still be
00:49:12.740 --> 00:49:16.140
able to have the single sign-on in that
federation into the cloud server.
00:49:16.190 --> 00:49:19.080
So they don't even have to type a
password. Sign into the Office
00:49:19.130 --> 00:49:21.460
365 or Windows Intune portal.
00:49:22.130 --> 00:49:24.830
So that's a lot there. I know
we're kind of out of time.
00:49:24.880 --> 00:49:27.690
>> Yeah, yeah. I mean, we've had
a lot of questions coming up
00:49:27.740 --> 00:49:30.550
on the [Indiscernible] here. One thing
to know about the documentation,
00:49:30.600 --> 00:49:32.460
when it's going to be available,
where should they look out for
00:49:32.510 --> 00:49:33.340
an announcement?
00:49:33.390 --> 00:49:36.270
>> Well, just keep checking back
in my blog. I have been trying
00:49:36.320 --> 00:49:39.400
to push on a bit... it's engineering
right now that's holding
00:49:39.450 --> 00:49:42.440
me back. So, I mean, it's done.
00:49:42.490 --> 00:49:47.890
So, you know, that's... that's...
it's coming. I don't know.
00:49:47.940 --> 00:49:50.390
I wish it was here a month ago.
00:49:50.440 --> 00:49:52.160
>> So you're going to tweet out
on your Twitter account?
00:49:52.210 --> 00:49:54.200
>> I'll tweet it out on my Twitter
account. I'll have a blog
00:49:54.250 --> 00:49:55.610
post on it.
00:49:55.660 --> 00:49:57.810
>> I've got to work on saying that.
I can't say it. It's Twitter,
00:49:57.860 --> 00:49:58.480
is it?
00:49:58.530 --> 00:49:59.250
>> Yeah I'm going to tweet it.
00:49:59.300 --> 00:50:00.200
>> Twitter.
00:50:00.250 --> 00:50:03.400
>> Well, look on my Twitter account
for a tweet, you know.
00:50:04.820 --> 00:50:09.950
>> So that is a wrap, and I'll, you
know, over the lunch or, you
00:50:10.000 --> 00:50:12.260
know, maybe this break I'll try to
answer some additional questions
00:50:12.310 --> 00:50:14.670
because I know we were kind of
compressed on time for this.
00:50:14.720 --> 00:50:15.470
>> Absolutely.
00:50:15.820 --> 00:50:20.650
>> But yeah. So yeah, that's the
end. That's a wrap for AD to
00:50:20.700 --> 00:50:22.080
Windows Azure Active Directory.
00:50:22.130 --> 00:50:24.300
>> So we're going to take a ten-minute
break here and then we'll
00:50:24.350 --> 00:50:27.050
come back with the next couple of
modules before lunch.
00:50:27.050 --> 00:50:28.050
So join us then.